--- sandbox/policy/freebsd/sandbox_freebsd.h.orig 2024-11-14 07:57:23 UTC +++ sandbox/policy/freebsd/sandbox_freebsd.h @@ -0,0 +1,276 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +#ifndef SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_ +#define SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_ + +#include +#include +#include + +#include "base/logging.h" +#include "base/posix/global_descriptors.h" +#include "sandbox/policy/export.h" +#include "sandbox/policy/linux/sandbox_seccomp_bpf_linux.h" +#include "sandbox/policy/mojom/sandbox.mojom.h" +#include "base/sanitizer_buildflags.h" + +#if BUILDFLAG(USING_SANITIZER) +#include +#endif + +namespace base { +template +struct DefaultSingletonTraits; +class Thread; +} // namespace base + +namespace sandbox { +namespace syscall_broker { +class BrokerProcess; +} // namespace syscall_broker +} // namespace sandbox + +namespace sandbox { +namespace policy { + +// A singleton class to represent and change our sandboxing state for the +// three main Linux sandboxes. +// The sandboxing model allows using two layers of sandboxing. The first layer +// can be implemented either with unprivileged namespaces or with the setuid +// sandbox. This class provides a way to engage the namespace sandbox, but does +// not deal with the legacy setuid sandbox directly. +// The second layer is mainly based on seccomp-bpf and is engaged with +// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing" +// the first layer of sandboxing. That is, InitializeSandbox must always be +// called to have any meaningful sandboxing at all. +class SANDBOX_POLICY_EXPORT SandboxLinux { + public: + // This is a list of sandbox IPC methods which the renderer may send to the + // sandbox host. See + // https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandbox_ipc.md + // This isn't the full list, values < 32 are reserved for methods called from + // Skia, and values < 64 are reserved for libc_interceptor.cc. + enum LinuxSandboxIPCMethods { + DEPRECATED_METHOD_GET_FALLBACK_FONT_FOR_CHAR = 64, + DEPRECATED_METHOD_GET_CHILD_WITH_INODE, + DEPRECATED_METHOD_GET_STYLE_FOR_STRIKE, + METHOD_MAKE_SHARED_MEMORY_SEGMENT, + DEPRECATED_METHOD_MATCH_WITH_FALLBACK, + }; + + // These form a bitmask which describes the conditions of the Linux sandbox. + // Note: this doesn't strictly give you the current status, it states + // what will be enabled when the relevant processes are initialized. + enum Status { + // SUID sandbox active. + kSUID = 1 << 0, + + // Sandbox is using a new PID namespace. + kPIDNS = 1 << 1, + + // Sandbox is using a new network namespace. + kNetNS = 1 << 2, + + // seccomp-bpf sandbox active. + kSeccompBPF = 1 << 3, + + // The Yama LSM module is present and enforcing. + kYama = 1 << 4, + + // seccomp-bpf sandbox is active and the kernel supports TSYNC. + kSeccompTSYNC = 1 << 5, + + // User namespace sandbox active. + kUserNS = 1 << 6, + + // A flag that denotes an invalid sandbox status. + kInvalid = 1 << 31, + }; + + // SandboxLinux Options are a superset of SandboxSecompBPF Options. + struct Options : public SandboxSeccompBPF::Options { + // When running with a zygote, the namespace sandbox will have already + // been engaged prior to initializing SandboxLinux itself, and need not + // be done so again. Set to true to indicate that there isn't a zygote + // for this process and the step is to be performed here explicitly. + bool engage_namespace_sandbox = false; + + // Allow starting the sandbox with multiple threads already running. This + // will enable TSYNC for seccomp-BPF, which syncs the seccomp-BPF policy + // across all running threads. + bool allow_threads_during_sandbox_init = false; + + // Enables the CHECK for open directories. The open directory check is only + // useful for the chroot jail (from the semantic layer of the sandbox), and + // can safely be disabled if we are only enabling the seccomp-BPF layer. + bool check_for_open_directories = true; + }; + + // Callers can provide this hook to run code right before the policy + // is passed to the BPF compiler and the sandbox is engaged. If + // pre_sandbox_hook() returns true, the sandbox will be engaged + // afterwards, otherwise the process is terminated. + using PreSandboxHook = base::OnceCallback; + + // Get our singleton instance. + static SandboxLinux* GetInstance(); + + SandboxLinux(const SandboxLinux&) = delete; + SandboxLinux& operator=(const SandboxLinux&) = delete; + + bool SetPledge(const char *pstring, const char *ppath); + bool SetUnveil(const std::string process_type, sandbox::mojom::Sandbox sandbox_type); + + // Do some initialization that can only be done before any of the sandboxes + // are enabled. If using the setuid sandbox, this should be called manually + // before the setuid sandbox is engaged. + // Security: When this runs, it is imperative that either InitializeSandbox() + // runs as well or that all file descriptors returned in + // GetFileDescriptorsToClose() get closed. + // Otherwise file descriptors that bypass the security of the setuid sandbox + // would be kept open. One must be particularly careful if a process performs + // a fork(). + void PreinitializeSandbox(sandbox::mojom::Sandbox sandbox_type); + + // Check that the current process is the init process of a new PID + // namespace and then proceed to drop access to the file system by using + // a new unprivileged namespace. This is a layer-1 sandbox. + // In order for this sandbox to be effective, it must be "sealed" by calling + // InitializeSandbox(). + void EngageNamespaceSandbox(bool from_zygote); + + // Return a list of file descriptors to close if PreinitializeSandbox() ran + // but InitializeSandbox() won't. Avoid using. + // TODO(jln): get rid of this hack. + std::vector GetFileDescriptorsToClose(); + + // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with + // an adequate policy depending on the process type and command line + // arguments. + // Currently the layer-2 sandbox is composed of seccomp-bpf and address space + // limitations. + // This function should only be called without any thread running. + bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, + PreSandboxHook hook, + const Options& options); + + // Stop |thread| in a way that can be trusted by the sandbox. + void StopThread(base::Thread* thread); + + // Returns the status of the renderer, worker and ppapi sandbox. Can only + // be queried after going through PreinitializeSandbox(). This is a bitmask + // and uses the constants defined in "enum Status" above. Since the + // status needs to be provided before the sandboxes are actually started, + // this returns what will actually happen once InitializeSandbox() + // is called from inside these processes. + int GetStatus(); + + // Returns true if the current process is single-threaded or if the number + // of threads cannot be determined. + bool IsSingleThreaded() const; + + // Returns true if we started Seccomp BPF. + bool seccomp_bpf_started() const; + + // Check the policy and eventually start the seccomp-bpf sandbox. This should + // never be called with threads started. If we detect that threads have + // started we will crash. + bool StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, + PreSandboxHook hook, + const Options& options); + + // Limit the address space of the current process (and its children) to make + // some vulnerabilities harder to exploit. Writes the errno due to setrlimit + // (including 0 if no error) into |error|. + bool LimitAddressSpace(int* error); + + // Returns a file descriptor to proc. The file descriptor is no longer valid + // after the sandbox has been sealed. + int proc_fd() const { + DCHECK_NE(-1, proc_fd_); + return proc_fd_; + } + +#if BUILDFLAG(USING_SANITIZER) + __sanitizer_sandbox_arguments* sanitizer_args() const { + return sanitizer_args_.get(); + }; +#endif + + // A BrokerProcess is a helper that is started before the sandbox is engaged, + // typically from a pre-sandbox hook, that will serve requests to access + // files over an IPC channel. The client of this runs from a SIGSYS handler + // triggered by the seccomp-bpf sandbox. + // |client_sandbox_policy| is the policy being run by the client, and is + // used to derive the equivalent broker-side policy. + // |broker_side_hook| is an alternate pre-sandbox hook to be run before the + // broker itself gets sandboxed, to which the broker side policy and + // |options| are passed. + // Crashes the process if the broker can not be started since continuation + // is impossible (and presumably unsafe). + // This should never be destroyed, as after the sandbox is started it is + // vital to the process. +#if 0 + void StartBrokerProcess( + const sandbox::syscall_broker::BrokerCommandSet& allowed_command_set, + std::vector permissions, + PreSandboxHook broker_side_hook, + const Options& options); + + sandbox::syscall_broker::BrokerProcess* broker_process() const { + return broker_process_; + } +#endif + + private: + friend struct base::DefaultSingletonTraits; + + SandboxLinux(); + ~SandboxLinux(); + + // We must have been pre_initialized_ before using these. + bool seccomp_bpf_supported() const; + bool seccomp_bpf_with_tsync_supported() const; + + // Returns true if it can be determined that the current process has open + // directories that are not managed by the SandboxLinux class. This would + // be a vulnerability as it would allow to bypass the setuid sandbox. + bool HasOpenDirectories() const; + + // The last part of the initialization is to make sure any temporary "hole" + // in the sandbox is closed. For now, this consists of closing proc_fd_. + void SealSandbox(); + + // GetStatus() makes promises as to how the sandbox will behave. This + // checks that no promises have been broken. + void CheckForBrokenPromises(sandbox::mojom::Sandbox sandbox_type); + + // Stop |thread| and make sure it does not appear in /proc/self/tasks/ + // anymore. + void StopThreadAndEnsureNotCounted(base::Thread* thread) const; + + // A file descriptor to /proc. It's dangerous to have it around as it could + // allow for sandbox bypasses. It needs to be closed before we consider + // ourselves sandboxed. + int proc_fd_; + + bool seccomp_bpf_started_; + // The value returned by GetStatus(). Gets computed once and then cached. + int sandbox_status_flags_; + // Did PreinitializeSandbox() run? + bool pre_initialized_; + bool seccomp_bpf_supported_; // Accurate if pre_initialized_. + bool seccomp_bpf_with_tsync_supported_; // Accurate if pre_initialized_. + bool yama_is_enforcing_; // Accurate if pre_initialized_. + bool initialize_sandbox_ran_; // InitializeSandbox() was called. +#if BUILDFLAG(USING_SANITIZER) + std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; +#endif + sandbox::syscall_broker::BrokerProcess* broker_process_; // Leaked as global. +}; + +} // namespace policy +} // namespace sandbox + +#endif // SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_